This is an automated email from the ASF dual-hosted git repository.
dru pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg-python.git
The following commit(s) were added to refs/heads/main by this push:
new 29ca7df3 chore(ci): add explicit least-privilege workflow permissions
(#3082)
29ca7df3 is described below
commit 29ca7df3e16224f6a989fec4e2568e4a230f92c4
Author: Kevin Liu <[email protected]>
AuthorDate: Tue Feb 24 21:44:25 2026 -0500
chore(ci): add explicit least-privilege workflow permissions (#3082)
---
.github/workflows/check-md-link.yml | 3 +++
.github/workflows/codeql.yml | 4 ++++
.github/workflows/license_check.yml | 3 +++
.github/workflows/nightly-pypi-build.yml | 3 +++
.github/workflows/pypi-build-artifacts.yml | 3 +++
.github/workflows/python-ci-docs.yml | 3 +++
.github/workflows/python-ci.yml | 3 +++
.github/workflows/python-release-docs.yml | 5 +++++
.github/workflows/python-release.yml | 3 +++
.github/workflows/svn-build-artifacts.yml | 3 +++
10 files changed, 33 insertions(+)
diff --git a/.github/workflows/check-md-link.yml
b/.github/workflows/check-md-link.yml
index 6bb71e1d..4a77e784 100644
--- a/.github/workflows/check-md-link.yml
+++ b/.github/workflows/check-md-link.yml
@@ -32,6 +32,9 @@ on:
- 'mkdocs/**'
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
markdown-link-check:
runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a3c9887a..e81c7158 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,11 +27,15 @@ on:
schedule:
- cron: '16 4 * * 1'
+permissions:
+ contents: read
+
jobs:
analyze:
name: Analyze Actions
runs-on: ubuntu-latest
permissions:
+ contents: read
security-events: write
packages: read
diff --git a/.github/workflows/license_check.yml
b/.github/workflows/license_check.yml
index 41a4cb80..daf0b2f1 100644
--- a/.github/workflows/license_check.yml
+++ b/.github/workflows/license_check.yml
@@ -20,6 +20,9 @@
name: "Run License Check"
on: pull_request
+permissions:
+ contents: read
+
jobs:
rat:
runs-on: ubuntu-latest
diff --git a/.github/workflows/nightly-pypi-build.yml
b/.github/workflows/nightly-pypi-build.yml
index 3f0f1591..c75b992c 100644
--- a/.github/workflows/nightly-pypi-build.yml
+++ b/.github/workflows/nightly-pypi-build.yml
@@ -24,6 +24,9 @@ on:
- cron: "0 0 * * *" # Runs at midnight UTC every day
workflow_dispatch: # Allows manual triggering
+permissions:
+ contents: read
+
jobs:
set-version:
if: github.repository == 'apache/iceberg-python' # Only run for apache
repo
diff --git a/.github/workflows/pypi-build-artifacts.yml
b/.github/workflows/pypi-build-artifacts.yml
index 230209a9..aeaf5c6f 100644
--- a/.github/workflows/pypi-build-artifacts.yml
+++ b/.github/workflows/pypi-build-artifacts.yml
@@ -26,6 +26,9 @@ on:
required: true
type: string
+permissions:
+ contents: read
+
jobs:
pypi-build-artifacts:
name: Build artifacts for PyPi on ${{ matrix.os }}
diff --git a/.github/workflows/python-ci-docs.yml
b/.github/workflows/python-ci-docs.yml
index db7b0266..64c34eb3 100644
--- a/.github/workflows/python-ci-docs.yml
+++ b/.github/workflows/python-ci-docs.yml
@@ -25,6 +25,9 @@ on:
- 'main'
pull_request:
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
index fadce41b..debdb0a9 100644
--- a/.github/workflows/python-ci.yml
+++ b/.github/workflows/python-ci.yml
@@ -38,6 +38,9 @@ on:
- '!LICENSE'
- '!NOTICE'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/python-release-docs.yml
b/.github/workflows/python-release-docs.yml
index 40cb3007..43a19b40 100644
--- a/.github/workflows/python-release-docs.yml
+++ b/.github/workflows/python-release-docs.yml
@@ -21,6 +21,9 @@ name: "Release Docs"
on:
workflow_dispatch:
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
@@ -28,6 +31,8 @@ concurrency:
jobs:
docs:
runs-on: ubuntu-latest
+ permissions:
+ contents: write
steps:
- uses: actions/checkout@v6
diff --git a/.github/workflows/python-release.yml
b/.github/workflows/python-release.yml
index d02de1fd..6be70a07 100644
--- a/.github/workflows/python-release.yml
+++ b/.github/workflows/python-release.yml
@@ -36,6 +36,9 @@ on:
type: number
required: true
+permissions:
+ contents: read
+
jobs:
validate-inputs:
runs-on: ubuntu-latest
diff --git a/.github/workflows/svn-build-artifacts.yml
b/.github/workflows/svn-build-artifacts.yml
index 1dbd6ac5..76307b7a 100644
--- a/.github/workflows/svn-build-artifacts.yml
+++ b/.github/workflows/svn-build-artifacts.yml
@@ -26,6 +26,9 @@ on:
required: true
type: string
+permissions:
+ contents: read
+
jobs:
svn-build-artifacts:
name: Build artifacts for SVN on ${{ matrix.os }}
